JPS5924353A - Method and apparatus for testing action with computer - Google Patents

Abstract

(57) [Summary] This bulletin contains application data before electronic filing, so abstract data is not recorded.

Description

DETAILED DESCRIPTION OF THE INVENTION The present invention relates to an apparatus flea for operational testing of computers for process storage control monitoring.

Microcomputer-supported storage and control systems are now applied in many fields and meet high security requirements.

It is an important issue in process 1 that the process should not be cut directly for safety reasons or for effectiveness reasons after an error case. This problem is generally solved by introducing redundancy in the control and storage systems; the problem is in systems with two or more unrelated operating channels;
The system satisfies the control or storage task, and the microcomputer is responsible for switching storage, monitoring and error localization in the operating channels. As long as you work for
The error is identified on the control channel and a correct reaction allows the control unit 1Itt to bring the computer into a safe state.

Operational safety, moreover, is here concerned with the sources of error that ultimately occur in the computer. Computer failures may be limited in time (eg, circuitry failure, crosstalk) or persistent (component failure).

A typical erroneous operation will result in a computer shutdown (system cycle failure). When a computer is operated in infinite cycles, data errors occur such that commands (e.g., comparisons) can no longer be executed correctly due to defective arithmetic units associated with certain bit combinations, especially dynamic ones. Changes in the software inventory also result in software redundancy (where even a defective program storage device can no longer be correctly implemented).

7) It is common for two or more business machines (multiprocessor systems) to monitor each other and at even greater expense to convert software and software required to prevent systematic errors. This increases the safety of operation. (Article by Kunernshield, RTP 1981.8 volume).

In general applications, the states Q, l of the connected processes are especially logical states (e.g. switching position limit 1[1
1 alarm) with still continuous temperature? I can hear it.

Itt4'1f11 of many computers is not only re-examined by a trivial comparison of the bit-model water Qf (rather, it is profile-examined by a wide range of auxiliary software procedures, so that it can be widely incorporated into the applicability of multi-process systems). It will be done.

For reasons of error safety, one control device and eleven computers connected to it can control a total of A1, which is advantageous in terms of manufacturing and development costs. A simpler and more commonly used method is to use a watchdog.
! , they always expect constant notifications from the machine. Total n
In general, determine whether the machine is operating properly in essential operations, whether critical safety commands are not being carried out correctly, and whether the machine is operating properly in its essential operations. Can be tested. The presence of a fault is only recognized to both parties (stopping of the life signal) by switching the monitoring mechanism (watchdog), which usually has retriggerable reversal means. Moreover, this device is usually error-prone and failures or failures are only identified with insufficient probability. Switching failures can additionally remain unnoticed in main control switching of this type.

However, in precisely critical safety applications the hazards posed by individuals and equipment must be eliminated with the greatest possible probability, and the identification of all this failure cannot be abandoned, nor can the directing of auxiliary problems be avoided. This can be achieved through hardware monitoring.

The invention provides comprehensive monitoring of the computer so that wt8 machines can take into account the highest degree of risk (personal damage) when storing and monitoring processes for important safety issues. The objective of the vIA is to develop a method of the technology mentioned at the outset, making it possible to do so with the lowest possible manufacturing outlay.

According to the present invention, the problem is solved by the method of the characterizing part of claim 1. The method according to the present invention enables the computer or micrometer R to periodically monitor the essential operation of the machine.・And 1! ! The monitoring device can be brought to a safe location in the event of an error. This method has a particularly general applicability and furthermore has the advantage that any self-testing procedures of the computer are safeguarded by an effective monitoring method.

Through the received signals, the computer relies on and identifies the fully dynamic operation of the control device, so that independent double errors are eliminated and a fault-proof monitoring system is created.

A high level of security and prompt response to error conditions are guaranteed in the process. The interference of the machine is only effective when the control signal and the test signal are compared with the test signal (No. 11). Ru.

Prevent erroneous computer operations from affecting processes. This allows the introduction of a single channel gage system in critical safety process applications.

According to the configuration of the present invention, a digital test word is set as a test symbol in the processing language of a computer.For its formation, very simple hardware is required. However, the /X-ware makes the corresponding conventional watchdog switch essentially an enhanced monitoring range.

Digital test words can be changed dynamically according to certain fixed principles, and if certain conditions exist, then as a result you have to introduce this condition from the computer and identify it yourself. By dynamically changing the test words and by matching the word lengths by the controller and computer, a substantially increased monitoring range is achieved compared to conventional watchdog switching. Very effective monitoring of simple software production side implementations yields virtually all possible combinations and thus still conceals problems (dynamic and losstalk, errors and deadlock). )?- Since it is detected, it can be included in the internal storage of the computer.

The principle carried out in software is 4119 when processing.
- This can be achieved by using the machine's 11C essential safety operation and control machine command group, and indirectly proving the absence of errors by the coincidence of control signals and test signals. The control signal to be compared with the test word is, in particular, a data word transmitted by a computer, which must be transmitted, in particular, during a determined simultaneously reproducing time window. It is an important criterion for computer applications along with constraints and simulation problems.

The present invention extends to an apparatus for carrying out the method, which comprises a comparator and a control section for generating test signals, forming a total of n test signals and a control unit. Such a device requires only a small hardware outlay. The output signal of the comparator (retriggerable timing circuit) allows the memory component to return to the non-error state at the time of unequal input signals in the comparator, i.e., upon the occurrence of an error. Controlled so that the process is held or necessarily in a previously determined safe position (i.e. switched off) - If an additional alarm section is provided which can be controlled from a comparator , there is the advantage that errors can be acoustically and/or optically identified (scrubbed).

A non-retriggered timer connected after the comparator can create a small time window for periodic control of the computer. Two non-retriggered monoflops are particularly suitable for this. The first monoflop is controlled by a comparator, and the second monoflop is triggered by the fall of K pressure. When the tq pressure of the sail 2 monoflop falls, a shift cycle is output to the control unit. The control changes the test signal according to defined principles.

Convenience: Advantageously, when the unit is equipped with the pseudo accident number 2 generator, it generates the 1 moss test signal, which is periodically controlled by the shift cycle output from the timer. The feedback of the generator can be configured to produce as large a periodic period of test signal repetitions and as wide a range of execution as possible and all test signal criteria. It is further advantageous that the control section is free of bolt-related functions, since it can also meet certain minimum functions (such as renal alarms) in order to compensate for failures in the current supply. Equipped with pressure supply equipment.

One embodiment according to the invention is shown diagrammatically in FIG.

In the diagram vA1, a computer or microcomputer 10 receives signals 11 from a computer, such as a control system 12, for monitoring the process. The process number is then sent again via the output 13 and processed for carrying out optimization or switching in the process. and (in case of an error in the control system 12, the computer 10
In this state, the computer reproduces the correct information in the control system 12 by activating the output 134 and the replacement function (redundancy), or erases it. The device II thereby stops the control system 12, thereby controlling the safe state of the process (error prevention mechanism).

The operability of the computer 10 is also monitored by the control device lt, 151. The final error that may occur is converted into a signal by the signal generator 16, and the error is caused by the error source in the control system 12 inputted from the divider 10 via the input signal 17 or by the error source in the control unit 15. Total of 1! It is controlled by an error in the aircraft or by an error number in the control unit 15 itself, and generates an acoustic warning signal via the horn 19.

In contrast, the microprocessor of the computer 10 generates as an output 20 a single # signal in the form of a control ml or data signal of length 8 bits, for example, and then outputs this control signal by means of a four-bit output 35. communicate.

Control unit 15: pseudo accident number generator 22 included here
So-called be, al, be, varnish, (P, R%B, 8)
- Generator (Pseudo-) muscb-Bin r'
i r-81gnal), the control signal of the computer 10 (in contrast, a test word of the same length or a test signal in the form of a test word is generated. The test word and the control word are compared in the comparator 25. .

The output 26 of the comparator 25 is a monoflop 27 which is not retriggered upon a perfect match of both words and upon activation of the synchronized output 35, which emits a trigger impulse; , again after time -] triggers the monoflop 2B which is not simultaneously retriggered by a falling impulse edge.

After the expiration of the time window 'Fen5t, the output of the monoflop 28 becomes the same (-"F and therefore PI(88--discharges a shift cycle 30'ft--to the generator 22).

When there is no error in FitB@10, the total S machine 10 is the second one.
The time diagram in FIG. 1 shows that for one test word, for example "K+1', f, a control word K+1 is issued during the time window tpenst.

Comparator 25 then starts operation of monoflop 27. After time t- (this monochrome knob 27 falls,
The monoflop 28, which falls at the intermediate time, starts to sleep in order to determine the latest time window, during which the latest control word must be output.

The new test word '+2' is formed at the falling edge of the monoflop 28 at the intermediate time by the shift cycle 30 that occurred at that time. At the same time, the operation of the monoflop 27 is dynamically responded to by the receiving circuit 31.

But now, due to a defect in the computer 10, the next control word '+
2' does not occur during the first monoflop 27
will not start. As a result, after the pressure across the second monoflop 28 falls, both monoflops 2728 fall, and therefore the alarm unit 16 is controlled by the input 18 via the NOR gate 32.

Errors are also recorded and notified in the control unit 15 in the same way. In this case, if one or two monoflops fail (a2 is directly suppressed), or if the PRB8-generator 22 is defective, the comparator 25 During this process, you can expose and clarify the failure yourself.

In the special grinding section 15, the computer 1 takes measures such as software to expose hidden error possibilities.
0 produces an error control word or signal 35, and the secondary mlj section 15
Therefore, it is possible to accurately reexamine the response of the signal 31 based on the usage number of the signal 31.aAs shown in the time diagram of FIG. It is released when the machine 10 periodically generates a correct data word for a large time interval.

The transmission of the new correct control i'il1 word and the triggering of the timer 27 have a total of 14 filO functional possibilities and outputs (N No. 36
guarantee the effectiveness of the group. The storage part 37 after the trigger matches its output 13 from the received signal 31f and enables the process.

The alarm unit 16 and the Noah gate 32, which are not connected in the self-monitoring system, are further configured to be dynamically safe against faults and can be tested at any time or at regular intervals. In the latter case, carried out within the scope of a self-examination with the assistance of a total of JK Isozu, the data word is generated with a delay and therefore sends out a short warning beep. The operational ability of the Noah Gate 32 and the alarm unit 16 are re-examined by a computer, for example, by checking the signal of the alarm notification circuit 34 connected to the ¥t# alarm detector 33.

The principle of the test word must be constructed in the computer through repetition relations.

The passage of one cycle of '255' shift means (in this case, certain bit combinations (all combinations are not allowed so that errors can be confirmed 0000000)
0 + is used until 0+ is reached - Any auxiliary operation (operation-n-turn-1-comparison instruction) is performed in such a way that it backtracks again after another operation - As a software, redundancy This has the advantage that requirements such as time φ and security level and possibilities can be easily adapted because the degree of φ is determined by software.

11L program loop fiE with linear or obvious branching when individual instructions are distributed
There is a possibility of re-examination at a later stage. Cases like this are often found where the head of the head and the head of the head are combined.

Wise news office 341! A self-test is carried out at regular time intervals for re-examination of the contents of the stored program to ensure that during undisturbed commands the program portions which are not utilized are operated upon. ．．
Must be. The performance and results of the self-test can be monitored by a monitoring unit that directs σU.

[Brief explanation of the drawing]

FIG. 1 is a block diagram of a total N, machine number dependent operation testing device of the present invention, and FIGS. 2 and 3 are time diagrams. 10... Computer, 11... Signal, 12
... Control system, 15 ... Control section, 16.
...Alarm section, 17.18...Input, 19
...Honk horn, 20,26,35...Output, 22...Pseudo accident number generator, 23...
Data bus, 25...Comparator, 27,
28... Monoflop that is not retriggered, 3
0...Shift cycle, 31...Receive signal, 32...Noah gate, 33...
...Phone phase detector, 37...Storage device #. M person M, A en Mastinenfabric
Augspergnuernberg Akten

Claims (1)

[Claims] 1. Generating a control signal for identifying an error state by a computer, and generating a test signal by means of a computer;
Controlling the computer based on a comparison signal between the control signal and the test signal (thereby preventing the process from being influenced by the error state I) - or generating an alarm or changing the process to a safe state. Method 02 of an operation test using a total 3'I machine characterized by performing at least one of the transitions, the control of the computer is performed by comparing the control signal for the process and the test signal in each case ◆ A method according to claim 1, characterized in that: 3. A method according to any one of claims 1 and 2, characterized in that the test signal is a digital word of the processing language length of the computer. 4. Feature a'1, characterized in that the digital test word is dynamically changed according to a predetermined principle as soon as a certain condition exists; any one of claims 1 to 3; One method. 5. Method 06 according to Section 4, characterized in that the principle described in item 11 is carried out by appropriate software. 6. The method according to claim 5, characterized in that it is implemented using a set of instructions. 7. A method according to any one of claims 1 to 6, characterized in that the timing of the l1iII closing is carried out during a sub-determined and periodic time window. 8. Test signal and control signal of NHI machine aψ are taken in and compared with each other with comparator Q51.
Fl! 1. An operation testing device using a computer for memory, control, and process monitoring, characterized in that it has a control section α5) that generates a signal. 9. The device according to claim 8, characterized in that a timer means (27, 28) which is not retriggered is connected to the comparator (25). 10. From the timer means (27, 28). A device according to any one of Claims @Claim 8 and @Claim 9 to 11, characterized in that it is provided with a controlled control section αe. 11. Two re-trigger units for providing a time window as one means of the timer. 12. The device according to claim 9, characterized in that a monoflop (27 or 2 days) is provided.12. 13. A device according to any one of claims 8 to 11 of the patent S, characterized in that the voltage supply to the control unit (+51) is independent of the voltage supply to the computer +11. 14. A device according to any one of claims 8 to 12 (14) having a storage means, in which the output signals (a) of the total W and the machine fiG are correct control signals (a) Claims 8 to 13 provide that the ITf characteristic is such that the output of the storage means is connected to the output signal (3υ) of the storage means only when the output of the signal instructs the receiving circuit Gυ. Any one of the devices.